Help with trojan.brisv.A!inf

[ajaques20]

Hi

Last night I was going through my music to clean out some files I no longer wanted, when I came across a file that I do not remember downloading. My Symantec antivirus kept giving alerts every 30 seconds or so, and I had to liveupdate symantec to recognize the trojan. I could not get rid of the trojan in normal mode, but in safe mode I was able to clean and delete the file. I ran a scan in safe mode with symantec and Malwarebytes' Anti-Malware scanner, and neither could find the infected file. I did the same scans again today in normal mode and still no trace of the file. However, since dealing with this problem, my computer has been running much slower than normal.

I assume that the file in question came from limewire, but I have not used limewire since October and have I deleted limewire and its associated folders after this incident occured.

I followed the first steps instructions and downloaded dds.scr and GMER, but cannot figure out how to disable any script blockers. Both symantec and malwarebytes are disabled, but dds.scr still will not perform a scan

If anybody could help me figure out how fix these problems, it would be greatly appreciated.

-Andrew

[ajaques20]

I got DDS to work, but when I try to run GMER, my computer restarts itself.
I've attached the DDS logs


DDS (Ver_09-02-01.01) - NTFSx86
Run by Andrew at 15:29:25.64 on Thu 03/12/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_10
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2813.1248 [GMT -4:00]

AV: Symantec AntiVirus *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_f691e717\STacSV.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Hpservice.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_f691e717\aestsrv.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\PnkBstrB.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
C:\Windows\SMINST\BLService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\ehome\ehmsas.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\DllHost.exe
C:\Users\Andrew\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" update "software\cyberlink\youcam\2.0"
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [OnScreenDisplay] c:\program files\hewlett-packard\hp quicktouch\HPKBDAPP.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [HotSync] "c:\program files\palmsource\desktop\HotSync.exe" -AllUsers
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\users\andrew\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\users\andrew\appdata\roaming\micros~1\windows\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\yahoo!\widgets\YahooWidgets.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab

================= FIREFOX ===================

FF - ProfilePath - c:\users\andrew\appdata\roaming\mozilla\firefox\profiles\rwgb7s7h.default\
FF - prefs.js: browser.startup.homepage - hxxp://myneu.neu.edu/cp/home/loginf
FF - plugin: c:\progra~1\palm\packag~1\NPInstal.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 Amddfltr;Amd Disk Lower Filter Driver;c:\windows\system32\drivers\Amddfltr.sys [2008-7-14 15416]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_f691e717\AEstSrv.exe [2008-7-14 73728]
R2 hpsrv;HP Service;c:\windows\system32\hpservice.exe [2008-3-18 19456]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\sminst\BLService.exe [2008-5-22 341328]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-8-17 24652]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-5-22 193840]
R3 enecir;ENE CIR Receiver;c:\windows\system32\drivers\enecir.sys [2008-1-23 52736]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-3-11 101936]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-11-28 122008]

=============== Created Last 30 ================

2009-03-10 19:58 7,680 a------- c:\windows\system32\spwmp.dll
2009-03-10 19:58 4,096 a------- c:\windows\system32\msdxm.ocx
2009-03-10 19:58 4,096 a------- c:\windows\system32\dxmasf.dll
2009-03-10 19:58 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-03-10 19:58 268,288 a------- c:\windows\system32\schannel.dll
2009-03-10 19:58 2,033,152 a------- c:\windows\system32\win32k.sys
2009-02-16 17:40 428,544 a------- c:\windows\system32\EncDec.dll
2009-02-16 17:40 217,088 a------- c:\windows\system32\psisrndr.ax
2009-02-16 17:40 293,376 a------- c:\windows\system32\psisdecd.dll
2009-02-16 17:40 177,664 a------- c:\windows\system32\mpg2splt.ax
2009-02-16 17:40 80,896 a------- c:\windows\system32\MSNP.ax
2009-02-11 13:25 827,392 a------- c:\windows\system32\wininet.dll
2009-02-11 13:25 1,383,424 a------- c:\windows\system32\mshtml.tlb

==================== Find3M ====================

2009-01-10 20:51 157,427 a------- c:\windows\hpoins27.dat
2009-01-10 20:35 86,016 a------- c:\windows\inf\infstrng.dat
2009-01-10 20:35 86,016 a------- c:\windows\inf\infstor.dat
2009-01-10 20:35 51,200 a------- c:\windows\inf\infpub.dat
2008-12-10 21:01 31 a------- c:\users\andrew\jagex_runescape_preferences.dat
2008-09-21 17:47 22,328 a------- c:\users\andrew\appdata\roaming\PnkBstrK.sys
2008-08-15 22:01 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-20 22:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 15:33:42.65 ===============

[jmw3]

Hello & Welcome to TSF
I'm having a look at your log/s now. Please give me a little time to get back to you with instructions.
Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

In the meantime please note the following:

• Any recommendations made are for your computer problems only and should NOT be used on any other computer.
• Please DO NOT run any scans/tools or other fixes unless I ask you to. This is very important for several reasons. Here are just two of them:
  1. The tools that we use are very powerful and can cause >>irreparable damage<< to your computer if not used correctly.
  2. Commercial scanners, for the most part can not completely remove some of the more "resistant" infections. This makes it much more difficult to get rid of completely.
• If you get stuck or are unsure of something please ask for a further explanation, do not guess.
• Continue to respond to this thread until I give you the All Clean!

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.
If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave & if there is no contact for that amount of time I will have to assume you have abandoned your topic.

Thanks

Let's see if we can get Gmer to run:

Open notepad & copy/paste the text in the Codebox below into it:

Code:

@echo off
copy /y gmer.exe omer.exe
start omer

Save this as run.bat Choose to "Save type as - All Files" next to gmer.exe
It should look like this:
Double click on run.bat & allow it to run

Then, use these settings to produce a log.

• If asked to allow gmer.sys driver to load, please consent
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
  
  Click the image to enlarge it
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish
• Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post
• Save it where you can easily find it, such as your desktop, and attach it in reply

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

[ajaques20]

Hi jmw3,

Thank you very much for helping me with this issue. I ran the batch file and it created "omer.exe" which I ran without sucess. I am experiencing the same restart problem as with gmer.exe. Before the computer restarts, the screen will go black with a blue colored bar on the bottom of the screen about 1 inch thick, and then will proceed to restart.

-Andrew

[jmw3]

Combofix
Download ComboFix from one of these locations:
Link 1
Link 2
Link 3

After downloading the file but before saving it, rename it from ComboFix.exe to Combo-Fix.exe
**IMPORTANT !!! Save Combo-Fix.exe to your Desktop**

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  A guide to do this can be found here
• Double click on ComboFix.exe & follow the prompts
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.
• When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply along with a new HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

Try running Gmer again.

To post in next reply:
Compbofix log
Gmer log (if it ran)

[ajaques20]

Ran ComboFix without problems. However, gmer still has the same problems as before. Windows reports and solutions gave this message: "Problem was caused by Kaspersky Anti-virus. To solve problem, run automatic update tool that comes with Kaspersky Anti-virus. I cant seem to make sense of this because I have never heard of this program before.

Also, when C:\Combofix was created, i noticed another text file "avenger.txt" I'm not sure where this came from. Is it related in any way to combofix?

ComboFix 09-03-14.01 - Andrew 2009-03-15 1336.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2813.1704 [GMT -4:00]
Running from: c:\users\Andrew\Desktop\Combo-Fix.exe
AV: Symantec AntiVirus *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-02-15 to 2009-03-15 )))))))))))))))))))))))))))))))
.

2009-03-10 19:58 . 2008-12-15 23:29 8,147,456 --a------ c:\windows\System32\wmploc.DLL
2009-03-10 19:58 . 2009-02-08 23:10 2,033,152 --a------ c:\windows\System32\win32k.sys
2009-03-10 19:58 . 2008-11-27 00:43 268,288 --a------ c:\windows\System32\schannel.dll
2009-03-10 19:58 . 2008-12-16 01:31 7,680 --a------ c:\windows\System32\spwmp.dll
2009-03-10 19:58 . 2008-12-16 01:31 4,096 --a------ c:\windows\System32\msdxm.ocx
2009-03-10 19:58 . 2008-12-16 01:31 4,096 --a------ c:\windows\System32\dxmasf.dll
2009-02-16 17:40 . 2008-12-05 00:32 428,544 --a------ c:\windows\System32\EncDec.dll
2009-02-16 17:40 . 2008-12-05 00:32 293,376 --a------ c:\windows\System32\psisdecd.dll
2009-02-16 17:40 . 2008-12-05 00:31 217,088 --a------ c:\windows\System32\psisrndr.ax
2009-02-16 17:40 . 2008-12-05 00:31 177,664 --a------ c:\windows\System32\mpg2splt.ax
2009-02-16 17:40 . 2008-12-05 00:31 80,896 --a------ c:\windows\System32\MSNP.ax

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-11 07:06 --------- d-----w c:\program files\Windows Mail
2009-02-12 08:11 --------- d-----w c:\program files\Google
2009-01-22 20:32 --------- d-----w c:\program files\Yahoo!
2009-01-15 06:11 827,392 ----a-w c:\windows\System32\wininet.dll
2008-12-11 01:01 31 ----a-w c:\users\Andrew\jagex_runescape_preferences.dat
2008-09-21 21:47 22,328 ----a-w c:\users\Andrew\AppData\Roaming\PnkBstrK.sys
2008-01-21 02:43 174 --sha-w c:\program files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-20 1233920]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-02-26 2289664]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-20 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-17 1033512]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-04-16 442433]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-12-24 222504]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-05-15 468264]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-03-14 202032]
"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-11-01 554288]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 80896]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-04-15 70912]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-11-20 488752]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-16 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 734264]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-22 107112]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-11-28 134808]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]

c:\users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-09-12 384000]
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2008-03-18 4742184]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe [2008-01-03 1392640]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3codecp"= l3codecp.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
--a------ 2008-10-16 20:25 1257104 c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{AFB81D35-0D10-430F-9C6F-5A7D081D905C}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{1DD3AEF4-3D94-47E5-B620-4E3A5F5E6E54}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{52F0D097-4A39-437B-96FF-F6EA98DC6ADA}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{9B04CD62-979C-42C8-BC42-585DAC9D2369}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{29AAF573-F7A5-4CB7-9EAC-979E8BB1FF27}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{E3A1308F-A1A6-41C5-9B8F-E4B20AD066ED}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{7E362FF1-9E47-42B5-9413-46CDD589D623}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{0BED128B-D3E3-47EF-B984-46A2645DC5DC}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{2420BD94-715C-4E18-8F02-B1BA73339BE0}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{C14B00A5-D7E4-4B82-8438-6A80185ED6B0}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{A9299C32-F4CA-423B-AF3C-EB4AEF016F15}"= UDP:c:\windows\System32\PnkBstrA.exe:PnkBstrA
"{4AC4E521-8C86-4F32-B2F0-676ACBD2E092}"= TCP:c:\windows\System32\PnkBstrA.exe:PnkBstrA
"{9C510E02-BC5B-46CF-BB98-537712869237}"= UDP:c:\windows\System32\PnkBstrB.exe:PnkBstrB
"{E02121B7-265B-4347-B5F4-CE5D0297D48E}"= TCP:c:\windows\System32\PnkBstrB.exe:PnkBstrB
"{6D97015F-2FE4-4983-B308-144CCF0B8CDC}"= UDP:c:\program files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{72782681-031A-4ABA-BEA0-80E8E049A9A3}"= TCP:c:\program files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{76889BC5-E750-4EFD-A358-C8920D81C206}"= UDP:c:\program files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{E4B9CDE1-63DB-4D98-8115-BAB3D94F07B1}"= TCP:c:\program files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{4C1D5211-3A0C-4BE9-9118-58FFA914D6DA}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{D5E2DE17-DE69-4614-9E9C-4965193C4F9F}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{5E382A0B-FB4F-4B0C-81E0-87A6DA3922F4}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{CC29E517-9CD8-428C-B47C-5F354220D419}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{85FA06FF-F1F8-42BA-9C8B-0B20FC48B7A8}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{29D1B7AE-03E7-4BE7-8FCD-2BC7C70AC683}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"{246625CE-7358-4D4C-81F3-EBD71A83C9E5}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{082096A8-A7E7-41C9-9050-F3D86BC53222}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{8E6C5EFF-92BA-4F34-9B28-CDC14AC4C2DE}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{BF9DF22F-D85D-49B8-BE7B-7CF6CC9643F7}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{5A771520-209F-498F-B56E-D7B3DAE661C6}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{13236BE7-0224-41F1-A044-9020168A995D}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{9E3A1A8C-5A01-40EF-B0CF-DD140F667B90}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpiscnapp.exe:hpiscnapp.exe
"{D5B8AF4D-509D-4242-B2CA-7279928E1C85}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpiscnapp.exe:hpiscnapp.exe
"{83D8E934-EE54-4C52-8BC0-188CCCFDDBF9}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{8A32448C-2A07-4F85-B5F8-45D5531B9933}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"TCP Query User{4FE7A2B5-A41F-4BBD-AF48-2FCAC9BC9CF5}c:\\program files\\java\\jre6\\bin\\javaw.exe"= UDP:c:\program files\java\jre6\bin\javaw.exe:Java(TM) Platform SE binary
"UDP Query User{C8C83329-E80F-4654-8917-96A494B8BA97}c:\\program files\\java\\jre6\\bin\\javaw.exe"= TCP:c:\program files\java\jre6\bin\javaw.exe:Java(TM) Platform SE binary

R0 Amddfltr;Amd Disk Lower Filter Driver;c:\windows\System32\drivers\Amddfltr.sys [2008-07-14 15416]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_f691e717\AEstSrv.exe [2008-07-14 73728]
R2 hpsrv;HP Service;c:\windows\System32\hpservice.exe [2008-03-18 19456]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\SMINST\BLService.exe [2008-05-22 341328]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-08-17 24652]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-05-22 193840]
R3 enecir;ENE CIR Receiver;c:\windows\System32\drivers\enecir.sys [2008-01-23 52736]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-11 101936]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-11-28 122008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{564712b0-918e-11dd-ae1b-001e689c2247}]
\shell\AutoRun\command - F:\Autorun.exe /run
\shell\Shell00\Command - F:\Autorun.exe /run
\shell\Shell01\Command - F:\Autorun.exe /action
\shell\Shell02\Command - F:\Autorun.exe /uninstall

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{57801952-d9e1-11dd-b373-001e689c2247}]
\shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-02-17 c:\windows\Tasks\HPCeeScheduleForAndrew.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2007-12-17 23:03]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-HotSync - c:\program files\PalmSource\Desktop\HotSync.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\rwgb7s7h.default\
FF - prefs.js: browser.startup.homepage - hxxp://myneu.neu.edu/cp/home/loginf
FF - plugin: c:\progra~1\Palm\PACKAG~1\NPInstal.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-15 13:16:50
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-03-15 13:25:39
ComboFix-quarantined-files.txt 2009-03-15 17:25:32

Pre-Run: 169,061,937,152 bytes free
Post-Run: 169,153,089,536 bytes free

173 --- E O F --- 2009-03-11 07:01:27

[jmw3]

Avenger.txt is a log produced by another malware removal tool called Avenger. Have you used it or been instructed to use it previously?

CFScript
Close any open browsers.
Open notepad and copy/paste the text in the code box below into it:

Code:

File::
F:\Autorun.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{2420BD94-715C-4E18-8F02-B1BA73339BE0}"=-
"{C14B00A5-D7E4-4B82-8438-6A80185ED6B0}"=-
"TCP Query User{85FA06FF-F1F8-42BA-9C8B-0B20FC48B7A8}c:\\program files\\limewire\\limewire.exe"=-
"UDP Query User{29D1B7AE-03E7-4BE7-8FCD-2BC7C70AC683}c:\\program files\\limewire\\limewire.exe"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{564712b0-918e-11dd-ae1b-001e689c2247}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{57801952-d9e1-11dd-b373-001e689c2247}]

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

With regard to Gmer:

========================================================

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

========================================================

Right click on Gmer.exe & choose Run as Administrator.
See if that helps.

To post in next reply:
Combofix log
Gmer log (if you got it to run)

[ajaques20]

Hi

Here is the combofix log. gmer still would not run, but the scan seemed to progress further than in previous tries before restarting the computer. I cannot remember ever using Avenger for anything, and I have not touched the file since i noticed it. Also, my Java Automatic Update is going off. Is it safe to update that at this point or should I wait?

ComboFix 09-03-15.01 - Andrew 2009-03-16 11:53:35.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2813.1686 [GMT -4:00]
Running from: c:\users\Andrew\Desktop\Combo-Fix.exe
Command switches used :: c:\users\Andrew\Desktop\CFScript.txt
AV: Symantec AntiVirus *On-access scanning disabled* (Updated)

FILE ::
F:\Autorun.exe
.

((((((((((((((((((((((((( Files Created from 2009-02-16 to 2009-03-16 )))))))))))))))))))))))))))))))
.

2009-03-10 19:58 . 2008-12-15 23:29 8,147,456 --a------ c:\windows\System32\wmploc.DLL
2009-03-10 19:58 . 2009-02-08 23:10 2,033,152 --a------ c:\windows\System32\win32k.sys
2009-03-10 19:58 . 2008-11-27 00:43 268,288 --a------ c:\windows\System32\schannel.dll
2009-03-10 19:58 . 2008-12-16 01:31 7,680 --a------ c:\windows\System32\spwmp.dll
2009-03-10 19:58 . 2008-12-16 01:31 4,096 --a------ c:\windows\System32\msdxm.ocx
2009-03-10 19:58 . 2008-12-16 01:31 4,096 --a------ c:\windows\System32\dxmasf.dll
2009-02-16 17:40 . 2008-12-05 00:32 428,544 --a------ c:\windows\System32\EncDec.dll
2009-02-16 17:40 . 2008-12-05 00:32 293,376 --a------ c:\windows\System32\psisdecd.dll
2009-02-16 17:40 . 2008-12-05 00:31 217,088 --a------ c:\windows\System32\psisrndr.ax
2009-02-16 17:40 . 2008-12-05 00:31 177,664 --a------ c:\windows\System32\mpg2splt.ax
2009-02-16 17:40 . 2008-12-05 00:31 80,896 --a------ c:\windows\System32\MSNP.ax

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-11 07:06 --------- d-----w c:\program files\Windows Mail
2009-02-12 08:11 --------- d-----w c:\program files\Google
2009-01-22 20:32 --------- d-----w c:\program files\Yahoo!
2009-01-15 06:11 827,392 ----a-w c:\windows\System32\wininet.dll
2008-12-11 01:01 31 ----a-w c:\users\Andrew\jagex_runescape_preferences.dat
2008-09-21 21:47 22,328 ----a-w c:\users\Andrew\AppData\Roaming\PnkBstrK.sys
2008-01-21 02:43 174 --sha-w c:\program files\desktop.ini
.

((((((((((((((((((((((((((((( SnapShot@2009-03-15_13.21.17.80 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-03-14 15:03:22 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-03-15 17:50:13 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-03-14 15:03:22 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-03-15 17:50:13 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-03-15 17:16:48 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2009-03-15 17:54:39 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2009-03-15 17:17:38 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2009-03-15 17:54:49 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2009-03-15 17:54:49 262,144 ---ha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2009-03-15 17:06:20 262,144 ----a-w c:\windows\System32\config\systemprofile\ntuser.dat
+ 2009-03-16 15:51:57 262,144 ----a-w c:\windows\System32\config\systemprofile\ntuser.dat
- 2009-03-14 15:09:40 101,350 ----a-w c:\windows\System32\perfc009.dat
+ 2009-03-15 17:56:11 101,350 ----a-w c:\windows\System32\perfc009.dat
- 2009-03-14 15:09:40 595,684 ----a-w c:\windows\System32\perfh009.dat
+ 2009-03-15 17:56:11 595,684 ----a-w c:\windows\System32\perfh009.dat
- 2009-03-14 15:07:15 8,682 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3483921712-289808956-2440906361-1000_UserData.bin
+ 2009-03-15 17:55:33 8,690 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3483921712-289808956-2440906361-1000_UserData.bin
- 2009-03-14 15:07:13 101,364 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-03-15 17:55:23 101,898 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2009-03-15 16:43:29 351,722 ----a-w c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2009-03-16 15:40:02 352,084 ----a-w c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-20 1233920]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-02-26 2289664]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-20 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-17 1033512]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-04-16 442433]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-12-24 222504]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-05-15 468264]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-03-14 202032]
"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-11-01 554288]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 80896]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-04-15 70912]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-11-20 488752]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-16 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 734264]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-22 107112]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-11-28 134808]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]

c:\users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-09-12 384000]
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2008-03-18 4742184]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe [2008-01-03 1392640]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3codecp"= l3codecp.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
--a------ 2008-10-16 20:25 1257104 c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{AFB81D35-0D10-430F-9C6F-5A7D081D905C}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{1DD3AEF4-3D94-47E5-B620-4E3A5F5E6E54}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{52F0D097-4A39-437B-96FF-F6EA98DC6ADA}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{9B04CD62-979C-42C8-BC42-585DAC9D2369}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{29AAF573-F7A5-4CB7-9EAC-979E8BB1FF27}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{E3A1308F-A1A6-41C5-9B8F-E4B20AD066ED}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{7E362FF1-9E47-42B5-9413-46CDD589D623}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{0BED128B-D3E3-47EF-B984-46A2645DC5DC}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{A9299C32-F4CA-423B-AF3C-EB4AEF016F15}"= UDP:c:\windows\System32\PnkBstrA.exe:PnkBstrA
"{4AC4E521-8C86-4F32-B2F0-676ACBD2E092}"= TCP:c:\windows\System32\PnkBstrA.exe:PnkBstrA
"{9C510E02-BC5B-46CF-BB98-537712869237}"= UDP:c:\windows\System32\PnkBstrB.exe:PnkBstrB
"{E02121B7-265B-4347-B5F4-CE5D0297D48E}"= TCP:c:\windows\System32\PnkBstrB.exe:PnkBstrB
"{6D97015F-2FE4-4983-B308-144CCF0B8CDC}"= UDP:c:\program files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{72782681-031A-4ABA-BEA0-80E8E049A9A3}"= TCP:c:\program files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{76889BC5-E750-4EFD-A358-C8920D81C206}"= UDP:c:\program files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{E4B9CDE1-63DB-4D98-8115-BAB3D94F07B1}"= TCP:c:\program files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{4C1D5211-3A0C-4BE9-9118-58FFA914D6DA}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{D5E2DE17-DE69-4614-9E9C-4965193C4F9F}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{5E382A0B-FB4F-4B0C-81E0-87A6DA3922F4}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{CC29E517-9CD8-428C-B47C-5F354220D419}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{246625CE-7358-4D4C-81F3-EBD71A83C9E5}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{082096A8-A7E7-41C9-9050-F3D86BC53222}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{8E6C5EFF-92BA-4F34-9B28-CDC14AC4C2DE}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{BF9DF22F-D85D-49B8-BE7B-7CF6CC9643F7}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{5A771520-209F-498F-B56E-D7B3DAE661C6}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{13236BE7-0224-41F1-A044-9020168A995D}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{9E3A1A8C-5A01-40EF-B0CF-DD140F667B90}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpiscnapp.exe:hpiscnapp.exe
"{D5B8AF4D-509D-4242-B2CA-7279928E1C85}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpiscnapp.exe:hpiscnapp.exe
"{83D8E934-EE54-4C52-8BC0-188CCCFDDBF9}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{8A32448C-2A07-4F85-B5F8-45D5531B9933}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"TCP Query User{4FE7A2B5-A41F-4BBD-AF48-2FCAC9BC9CF5}c:\\program files\\java\\jre6\\bin\\javaw.exe"= UDP:c:\program files\java\jre6\bin\javaw.exe:Java(TM) Platform SE binary
"UDP Query User{C8C83329-E80F-4654-8917-96A494B8BA97}c:\\program files\\java\\jre6\\bin\\javaw.exe"= TCP:c:\program files\java\jre6\bin\javaw.exe:Java(TM) Platform SE binary

R0 Amddfltr;Amd Disk Lower Filter Driver;c:\windows\System32\drivers\Amddfltr.sys [2008-07-14 15416]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_f691e717\AEstSrv.exe [2008-07-14 73728]
R2 hpsrv;HP Service;c:\windows\System32\hpservice.exe [2008-03-18 19456]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\SMINST\BLService.exe [2008-05-22 341328]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-08-17 24652]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-05-22 193840]
R3 enecir;ENE CIR Receiver;c:\windows\System32\drivers\enecir.sys [2008-01-23 52736]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-11 101936]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-11-28 122008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-02-17 c:\windows\Tasks\HPCeeScheduleForAndrew.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2007-12-17 23:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\rwgb7s7h.default\
FF - prefs.js: browser.startup.homepage - hxxp://myneu.neu.edu/cp/home/loginf
FF - plugin: c:\progra~1\Palm\PACKAG~1\NPInstal.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-16 12:02:39
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-03-16 12:10:26
ComboFix-quarantined-files.txt 2009-03-16 16:10:22
ComboFix2.txt 2009-03-15 17:25:45

Pre-Run: 168,507,727,872 bytes free
Post-Run: 168,475,500,544 bytes free

181 --- E O F --- 2009-03-11 07:01:27

[jmw3]

Hi

Quote:

Also, my Java Automatic Update is going off. Is it safe to update that at this point or should I wait?

Yes it's Ok to update Java... in fact I was going to get you to do that next.

Update Java Runtime

• Download the latest version of Java Runtime Environment (JRE) 6 Here
• Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 12. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
• Click the Download button to the right
• Select the Windows platform from the dropdown menu
• Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh
• Click on the link to download Windows Offline Installation & save the file to your desktop
• Close any programs you may have running - especially your web browser
• Go to Start > Settings > Control Panel, double-click on Add/Remove Programs & remove all older versions of Java
• Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions
• Reboot your computer once all Java components are removed
• Then from your desktop double-click on jre-6u12-windows-i586-p.exe to install the newest version

• After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel

Kaspersky Online Scan
Right click on your favourite web browser (Internet Explorer, Firefox, etc) and select Run As Administrator to run it
Go to Kaspersky website and perform an online antivirus scan

• Read through the requirements and privacy statement and click on Accept button
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run
• When the downloads have finished, click on Settings
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  • Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
    Mail databases
• Click on My Computer under Scan
• Once the scan is complete, it will display the results. Click on View Scan Report
• You will see a list of infected items there. Click on Save Report As...
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
• Please post this log in your next reply

[jmw3]

With regard to Gmer:
Open Gmer by right-clicking & Run as Administrator.
Select the Rootkit tab & uncheck the Services box then try & run the scan. Let me know how it goes.

[ajaques20]

Java has been updated. Kasparsky scan ran without issues. Gmer scan ran for about 30 minutes before the black screen with the blue bar on bottom came up, which displayed the message "Beginning dump of physical memory to disk..."
I powered down and rebooted. Here is the Kaspersky log.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, March 17, 2009
Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, March 17, 2009 17:39:55
Records in database: 1922419
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 147290
Threat name: 2
Infected objects: 10
Suspicious objects: 0
Duration of the scan: 03:29:45


File name / Threat name / Threats count
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07200000\4F3B00E1.VBN Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A440000\4B6CED3A.VBN Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A440001\4B6CEE62.VBN Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0ECC0000.VBN Infected: not-a-virus:AdWare.Win32.Agent.gov 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\17240000.VBN Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07200000\4F3B00E1.VBN Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A440000\4B6CED3A.VBN Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A440001\4B6CEE62.VBN Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0ECC0000.VBN Infected: not-a-virus:AdWare.Win32.Agent.gov 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\17240000.VBN Infected: Trojan-Downloader.WMA.GetCodec.c 1

The selected area was scanned.

[jmw3]

Hi
Empty your Symantec Anti-Virus Quarantine.

Your system appears to be clean, but just to make sure there is nothing hiding we'll run another tool other tha Gmer.

Rooter.exe
Download Rooter.exe from Here & save it to your desktop.

• Right-click on Rooter.exe & choose Run as Administrator to start the tool
• A Notepad file containing the report will open, also found at %systemdrive%\Rooter.txt
• Post the contents of the log in your next reply

Let me know how the computer is running / problems.

[ajaques20]

I opened up symantec and there were no files under "quarantined." However, there were 5 files under "backup files" which I deleted. Rooter would run for a few seconds but then stop progressing at C:\Windows\prefetch\WebMediaPlayer and the scan would not progress any further. This didn't cause any other problems, it just stopped doing anything at all. I could not find any of the infected files specified by the Kaspersky scan.

My computer is still experiencing lagging issues, both in the browser and with opening up windows/programs.

[jmw3]

Hi

Quote:

My computer is still experiencing lagging issues, both in the browser and with opening up windows/programs.

There is really nothing remarkable in any of the logs that would explain the slowness. You could try uninstalling Symantec AV to see if that helps. If that's the problem I can offer a couple of free alternatives.

Quote:

when I came across a file that I do not remember downloading.... but in safe mode I was able to clean and delete the file.

Can you remember what the name of that file was?

We'll try one more rootkit scan:
The Avenger
Download The Avenger by Swandog46 from here.

• Unzip/extract it to a folder on your desktop.
• Right click on avenger.exe & choose Run as Administrator to run The Avenger.
• Click OK.
• Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
• Click the Execute button.
• You will be asked No script has been entered. Do you want to execute a rootkit scan only?.
• Click Yes.
• You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
• Click Yes.
• Your PC will now be rebooted.
• After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
• Please post this log in your next reply.

[ajaques20]

I ran Avenger, and predictably it did not find anything. I uninstalled Symantec AV but I still am having the lagging issues, even as I type this response here. I think that the best option at this point would be to wipe and restore the hard drive. Do I need to uninstall DDS, Gmer, ComboFix, etc manually or is it safe to wipe them with the rest of the drive?

Thank you so much for all of your time and effort, just wish we could have gotten somewhere. Sigh, machines. Anyway, thanks again for your help, I greatly appreciate it.

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Completed script processing.

*******************

Finished! Terminate.

[jmw3]

Hi
Before you go down the path of Re-format & re-install, have a look here, Is your PC running slow...?. Follow the guide & see if that makes any difference.

To remove the programs we used do this:

Remove Combofix
The following will implement some cleanup procedures as well as reset System Restore points:
Click Start > Run then copy/paste the following bolded text into the Run box and click OK:
ComboFix /u
OTCleanIt
Download OTCleanIt here & save it to your desktop.
Right click on OTCleanIt.exe, choose Run as Administrator. Click on CleanUp!.
You will receive a prompt that it needs to restart the computer to remove the files. Click Yes.
It will restart your computer automatically. If it doesn't, please restart your computer manually.
You can also delete DDS.scr from you desktop.

Let me know how you get on.

[ajaques20]

I did all of the things you gave me and some on the list, but my computer was still running slower than it had before the virus hit. I wiped and reinstalled my hard drive and it is now working fine. Once again, thank you for all of your help!

-Andrew

[jmw3]

Ok... no worries, thanks for letting me know. Here's some tips & suggestions for keeping your system safe.

Microsoft Windows Update
Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Install the updates immediately if they are found.
To update Windows
Go to Start > All Programs > Windows Update
To update Office
Open up any Office program.
Go to Help > Check for Updates

Malwarebytes' Anti-Malware
Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is totally free but for real-time protection you will have to pay a small one-time fee.
You can download it here & find a tutorial here.

SpywareBlaster
Download and install Javacools SpywareBlaster from here
SpywareBlaster adds a list of ActiveX controls, tracking cookies and sites which will be blocked in either Internet Explorer or Firefox browsers. You need to manually check for updates regularly.

Download and Install a HOSTS File
A HOSTS file is a big list of bad web sites. The list has a specific format, a specific name, (name is just HOSTS with no file extension), and a specific location. Your machine always looks at that file in that location before connecting to a web site to verify the address. So the HOSTS listing can be used to "short circuit" a request to a bad website by giving it the address of your own machine.

Download BlueTack's HOSTS Manager here, using Internet Explorer (Firefox won't work):

• A short distance down the page in the centre, click on the Download button
• Agree to the license
• On the next page, to the right side of where it says Download Estimates, right click on the underlined word Hosts Manager choose Save Target As and download the installer Hosts20setup.exe to your desktop
• Double click the Installer on your desktop and let it Install the Hosts Manager
• After the installation is complete, click on the Hosts Manager icon on your desktop. (You can delete the other Hosts Switch icon from your desktop)
• When the Hosts Manager comes up, click the small down arrows on the right side of the bar labeled Options and Tools,
• Click Disable DNS Service. This is important
• In the Left Pane, click Download
• It will load 80,000 lines or more. When it finishes, also in the left pane, click Replace, and then click Save

You can use this manager to handle your HOSTS file download, edits, and most any other HOSTS issue.
If you have a separate party firewall or Winpatrol, you may have to give permissions at various times to Unlock the present default HOSTS file and install the new one.

Install WinPatrol
Download it here
You can find information about how WinPatrol works here

Read some information here on how to prevent Malware.

Hopefully these steps will help keep your computer clean.

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.